NASA, we have a problem

Space agency tells informational privacy advocates that thousands more files than first reported were lost in Halloween computer theft

Retired JPL scientist Dr. Robert Nelson and other members of a class-action lawsuit that ultimately failed to stop NASA from cataloguing intimate information about its contract employees take little solace in knowing they were right — that personal data obtained by the government about its workers could somehow eventually fall into the wrong hands.

But with NASA currently admitting that it has lost tens of thousands more personnel files than originally believed with last fall’s theft of a password-protected but unencrypted laptop computer, Nelson is more concerned than content in knowing that he was right all along. What else, he asks, is the space agency not telling him and others affected by this latest agency-wide security breach?

Now, Nelson said soon after learning the actual number of personnel files affected totals 40,000, “We are demanding that they tell us exactly what they think they lost.”Informational Privacy Nelson and his fellow plaintiffs — former and current scientists and engineers at JPL, which is owned by NASA and managed by Caltech — claimed in their case before the US Supreme Court, NASA v. Nelson, that the government had no need to know details about such things as a contract employee’s drug use history and other potentially sensitive personal information that might come to light from interviews with former landlords, bosses, teachers, friends and lovers. Plus, NASA would be unable to adequately protect that information once it had it, they argued.

In January 2011, however, the US Supreme Court disagreed, voting 8-0 to uphold provisions of Homeland Security Presidential Directive #12 (HSPD-12), recommended by the 9/11 Commission, issued in 2004 by President George W. Bush and later implemented by the US Commerce Department.

The case, first filed as a request for a preliminary injunction before HSPD-12’s scheduled October 2007 implementation at JPL, was struck down by a US District Court judge in Los Angeles. However, the US Court of Appeals for the Ninth Circuit overturned that ruling, granting the injunction and setting the stage for NASA to appeal to the Supreme Court.

In the final analysis, the High Court found that the government has a legitimate need to thoroughly investigate its workers, even contract workers, as are most of JPL’s more than 5,000 employees.

“The Government has an interest in conducting basic background checks in order to ensure the security of its facilities and to employ a competent, reliable workforce to carry out the people’s business. The interest is not diminished by the fact that respondents are contract employees,” states the ruling. “There are no meaningful distinctions in the duties of NASA’s civil-service and contractor employees, especially at JPL, where contract employees do work that is critical to NASA’s mission and that is funded with a multibillion-dollar taxpayer investment.” Justice Elena Kagan sat out this case, having worked on implementing HSPD-12 in her former role as solicitor general.

The Privacy Act of 1974, Justice Samuel Alito wrote in the opinion for the court, prohibits the unwarranted release of confidential personnel files of government employees.

On Halloween night, at least the second portion of the respondents’ contention was proven correct — an unencrypted laptop computer containing thousands of personnel files, an unknown number of them possessing sensitive information acquired under provisions of HSPD-12, was stolen from a car parked in Washington, DC. At the time, NASA claimed 10,000 files full of “personally identifiable information” (PII) were stolen, sparking calls for a congressional investigation. On Tuesday, a NASA official told the Pasadena Weekly that number now stands at 40,000.

The next stepFor Nelson and others involved in the Supreme Court case, among them now-retired JPL flight engineer Dennis Byrnes and Mars rover Curiosity “driver” Scott Maxwell, who after 18 years at JPL is reportedly going to work for Google, fighting over the informational privacy issues raised by HSPD-12 didn’t end with the Supreme Court’s Jan. 19, 2011 ruling.

In early March, attorneys are expected to file briefs with Administrative Law Judge William G. Kocol, who in late January heard four days of testimony from Nelson, Byrnes and Maxwell, as well as NASA v. Nelson co-litigants JPL engineer Larry D’Addario and lab scientist William Banerdt, in an appeal to the National Labor Relations Board’s ruling in favor of the engineers and scientists.

The five men were accused of inappropriately using NASA email to communicate with other employees about the potential ramifications of the Supreme Court’s ruling. The NLRB found that Caltech and JPL violated the rights of Nelson and the others by issuing them discipline citations — two of which could result in dismissal — for sending out a co-written message on Jan. 27, 2011 regarding the possible impact of the Supreme Court’s decision on the lives of 8,000 people working at JPL and other NASA centers.

“We are not arguing the issues that were settled by the Supreme Court with regard to our original suit with HSPD-12. What we are arguing now is whether or not we have the right to inform our fellow employees of what the Supreme Court decision was and what the impact on them would be,” Byrnes explained.

“Obviously, we’re optimistic, and we’re not unbiased, but we think the judge will rule in our favor, and we have reason to expect Caltech will appeal that ruling. So that’s the next step,” he said, adding that much like the case against HSPD-12, this issue could also ultimately be decided by the Supreme Court.

“The NLRB had already notified Caltech that they are in violation of the National Labor Relations Act, and Caltech elected to spend all those resources to fight this before an administrative law judge,” Nelson noted. “They hired two lawyers from the Paul Hastings law firm downtown, and we know what the hourly charges are for those kinds of lawyers. For some reason,” he said, “they feel this is an important issue.”

40,000 notifiedIn a Feb. 1 email addressed to Byrnes, Kelly M. Carter, NASA’s Breach Response Team Lead in Washington, wrote that the agency learned of the latest batch of affected personnel files in mid-January, and has been “working non-stop since day 1 of the breach to analyze the backup file and identify individuals whose information was contained in it.”

For the most part, Carter writes, the latest files were from the Name Check Request System (NCRS), which pre-dated HSPD-12. “The format of some of the data, which included names, some SSNs [Social Security numbers], and some dates of birth was not conducive to automated searches and that’s why it was not found earlier in the process. It appears that the NCRS information was generated from old reports that were used for auditing or reporting the status of access requests to NASA facilities,” she wrote.

All told, Carter wrote, “The 18,000 [additional] individuals include current and former NASA civil servants and contractors from all NASA centers; approximately 3,500 of them were from JPL.” Up to that time, NASA had notified a total of 30,000 people about the Halloween laptop theft, Robert Jacobs, the space agency’s deputy administrator of public affairs, is quoted saying in a story that appeared in Saturday’s edition of The New York Times.

In the email to Byrnes, Caster said the additional lost files included less inclusive NCRS data dating back at least six years. But, Carter writes, “Information provided by individuals to obtain access to NASA facilities, in response to HSPD-12 or other requirements, was on the stolen laptop.”

By Tuesday, the number of lost files had been adjusted upward.

“It’s really 40,000,” said NASA spokesperson Allard Beutel. “We wanted to cast the widest net possible to make sure that we contacted anyone who possibly could be affected by this. We’ve sent letters to approximately 40,000 people, offering identity protection and credit monitoring.”

So far, said Beutel, whose own personal information was contained on the stolen laptop, “We have absolutely no indication at all that anyone’s personal information has been compromised.” The investigation remains ongoing, he said.

‘Certainly a mystery’NASA has had a number of problems keeping personal data secure. In 2007 and 2008, the Government Accountability Office (GAO) said the space agency had reported 1,120 “security incidents,” according to a 2009 story in The New York Times. The GAO report also revealed that in 2009 a NASA center reported the theft of another laptop computer, that one containing about 3,000 unencrypted files regarding arms traffic regulations and wind tunnel tests for a supersonic jet. NASA was eventually required to encrypt its laptops, according to The Times, but not all of the agency’s 38,000 laptops had been refitted by the time of the Halloween theft.

Nelson, who served as a co-investigator on NASA’s Voyager Grand Tour of the Solar System and was the project scientist for its Deep Space 1 mission, said he and other HSPD-12 plaintiffs warned of such a breach when they first filed their lawsuit in District Court more than five years ago.

“We were ignored by the courts,” Nelson told the Pasadena Weekly at the time of the computer theft. “Now, unfortunately, by virtue of the cavalier behavior of a NASA bureaucrat, our argument has been proven. Our nightmare of five years ago has become a reality.”

“Most everyone we know of at JPL who is an active employee, and some recent retirees, and some others who have been gone from JPL for quite a while are included in the list of people who have gotten letters. Obviously, there are many, many more at other NASA centers,” Byrnes told the Weekly.

“They are not saying who lost the laptop. That’s a personnel item. They won’t say who it was, and we have no idea,” Byrnes said. “But why an individual would have on their work laptop at NASA headquarters 40,000 people’s personal identification information … why they would be carrying that around is certainly a mystery.”

Nelson said he and his fellow litigants have been “absolutely vindicated” in their concerns about the possibility of their personal data being lost or stolen.

“We were correct in raising [the issue] to begin with, but we were surprised that Caltech continued to fight us on it. You would think the least they might give us is an apology,” he said. “Caltech also promised us that all our data would be secure.”